As more and more computers are interconnected through various networks, such as the Internet, computer security also becomes increasingly more important. In particular, computer security in regard to external attacks from malware has become, and continues to become, increasingly more important. Malware, for purposes of the present discussion, is defined as unwanted computer attacks. As such, those skilled in the art will appreciate that malware includes, but is not limited to, computer viruses, Trojan horses, worms, denial of service attacks, abuse/misuse of legitimate computer system functions, and the like. The primary defense against malware is anti-virus software.
FIGS. 1A and 1B are pictorial diagrams illustrating how anti-virus software currently operates with respect to malware. In particular, FIG. 1A illustrates how anti-virus software detects known malware, and prevents the known malware from reaching and infecting a computer. Alternatively, FIG. 1B illustrates a common weakness of anti-virus software, particularly, how anti-virus software is unable to detect and prevent modified malware, such as packed malware, from reaching and infecting the computer. What is meant by “reaching” the computer is getting past the anti-virus software. Those skilled in the art will readily recognize anti-virus software almost always resides on the computer it is protecting, and operates on incoming data as it physically arrives at the computer. Thus, while incoming data, including malware, may be located at the computer, for purposes of the present invention, the incoming data does not actually “reach” the computer until it gets past the anti-virus software.
As shown in FIG. 1A, a malware 102 is directed over a network 106 to the computer 110, as indicated by arrow 108. It will be appreciated that the malware 102 may be directed to the computer 110 as a result of a request initiated by the computer, or directed to the computer from another network device. However, as mentioned above, before the known malware 102 reaches the computer 110, anti-virus software 104 installed on the computer intercepts the malware and examines it. As is known in the art, currently, anti-virus software scans the incoming data as a file, searching for identifiable patterns, also referred to as signatures, associated with known malware. If a malware signature is located in the file, the anti-virus software 104 takes appropriate action, such as deleting the known malware/infected file, or removing the malware from an infected file, sometimes referred to as cleaning the file. In this manner, anti-virus software 104 is able to prevent the known malware 102 from infecting the computer 110, as indicated by the arrow 112.
Those skilled in the art will appreciate that almost all unknown malware are actually rewrites or reorganizations of previously released malware. Encountering an absolutely novel malware is relatively rare, as most “new” malware are actually rewrites or rehashes of existing malware. Indeed, it is a simple task for a malicious party to superficially modify the malware, therefore creating “new” malware. The result of the superficial modification is that the static appearance of the malware is altered, though the functionality of the malware often remains the same. Unfortunately, current anti-virus software operates only on known malware. Thus “new,” superficially modified malware, while functionally identical to its original/parent malware, is not detected or stopped by the installed anti-virus software 104, due to the anti-virus software's pattern matching system.
One method that is commonly used by malicious parties to modify their malware is often referred to as packing an executable file. Packing an executable file involves encrypting and/or compressing the executable file, and combining the encrypted and/or compressed result with an executable code segment, thereby creating a packed executable file, hereafter referred to more simply as a packed executable. Encrypting and/or compressing files, including executable files, are techniques known in the art. However, while packing an executable file is also known in the art, a brief description of a packed executable may be helpful for understanding aspects of the present invention.
FIG. 2 is a block diagram illustrating an exemplary packed executable. As shown in FIG. 2, a packed executable 200 typically includes two parts: a loader/unpacker area 202, and a packed code/data area 204. As those skilled in the art will appreciate, the packed executable 200 is, of itself, an executable file. The loader/packer area 202 represents the executable portion of the packed executable 200. Alternatively, the packed code/data area 204 represents the “original” encrypted and/or compressed executable file. The purpose of the loader/packer area 202 is, upon execution of the packed executable 200, to restore the packed code/data area to its original, unpacked state, and then to execute the unpacked executable file. Executing the packed executable, i.e., unpacking and executing the packed executable file, is performed seamlessly by the loader/packer area 202. As such, a user may be entirely unaware that an executable is, in fact, a packed executable. Functionally, the result of executing the packed executable is the same as executing the original, unpacked executable.
With reference again to FIG. 1B, FIG. 1B is a pictorial diagram illustrating how current anti-virus software is unable to prevent a packed malware 116 from reaching the computer 110. As shown in FIG. 1B, known malware 102 undergoes a packing process 114, resulting in packed malware 116. As mentioned above, the packed malware 116 will most likely have a different static appearance, though its functionality will be identical. However, because the static appearance is modified, the packed malware 116 is not “known” malware, recognizable by the anti-virus software 104.
The packed malware 116 is directed through the network 106 to the computer 110, as indicated by arrow 118. As described above, the anti-virus software 104 attempts to identify the packed malware 116 to determine whether it is known malware and should be stopped. As the packed malware 116 is, as yet, an unknown modification, and because the signature of the packed malware is not the same as the original malware 102, the anti-virus software 104 fails to identify the packed malware as malware, and permits it to reach the computer 110, as indicated by arrow 120. Upon reaching the computer 110, the packed malware 116 is able to perform its destructive purpose. It is only after an anti-virus software provider identifies a signature pattern for the packed malware 116, and then updates the anti-virus software 104, that the anti-virus software can protect the computer 110 from the packed malware 116.
Constantly evaluating unknown malware to determine a static signature and then updating anti-virus software with that signature is a costly process. It is also inefficient, especially when considering that most malware are only superficially, not functionally, modified from their parents such as the case with packed executables. Thus, it would be beneficial if packed executables could be unpacked in order to determine whether the unpacked executable is malware in disguise.
In light of the above-identified problems, it would be beneficial to computer users, both in terms of computer security and in terms of cost effectiveness, to provide an extensible unpacker module that operates in conjunction with anti-virus software or other malware detection systems, so that packed malware may be recognized for what it is. The present invention addresses this and other issues found in the prior art.